-
Notifications
You must be signed in to change notification settings - Fork 10
/
CRIME-rc4-poc.py
73 lines (63 loc) · 2.07 KB
/
CRIME-rc4-poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
'''
CRIME attack - PoC
Implementation of the compression oracle attack behind CRIME
Algo: RC4
Author: mpgn <[email protected]> - 2018
@mpgn_x64
'''
import zlib
import random
import string
import sys
from Crypto.Cipher import ARC4
"""
cipher = RC4(plaintext)
KEY is random
there is no handshake (no need)
"""
# cipher a message
def encrypt(msg):
data = msg
cipher = ARC4.new(KEY)
return cipher.encrypt( zlib.compress(data) )
# decipher a message
def decrypt(enc):
decipher = ARC4.new(KEY)
return decipher.decrypt( zlib.decompress(enc) )
def two_tries_recursive(found, p):
tmp = []
for i in range(33,127):
rand1 = ''.join(random.sample(string.ascii_lowercase + string.digits, k=17))
rand2 = ''.join(random.sample(string.ascii_lowercase + string.digits, k=17))
payload = rand1 + IKNOW + ''.join(found) + chr(i) + '~#:/[|/ç' + ' ' + SECRET.decode() + ' ' + rand2
enc1 = encrypt(payload.encode())
payload = rand1 + IKNOW + ''.join(found) + '~#:/[|/ç' + chr(i) + ' ' + SECRET.decode() + ' ' + rand2
enc2 = encrypt(payload.encode())
if len(enc1) < len(enc2):
tmp.append(chr(i))
for i in range(0, len(tmp)):
t = 'temp' + str(i)
t = list(found)
t.append(tmp[i])
sys.stdout.write('\r[+] flag=%s' % ''.join(t))
p = two_tries_recursive(t,p)
if len(tmp) == 0:
p += 1
print("")
return p
def run():
found = []
p = two_tries_recursive(found, 0)
print("\nFound", str(p), "possibilities of secret flag")
return
if __name__ == '__main__':
print("{-} CRIME Proof of Concept by @mpgn_x64\n")
KEY = ''.join(random.sample(string.ascii_uppercase + string.digits, k=17))
SECRET = b"flag={quokkalight_1s_th3_b3st_t34m}"
IKNOW = "flag="
print("[+] Secret TOKEN :", SECRET.decode())
print("[+] Encrypted with \033[33mRC4\033[0m")
print("[+] Trying to decrypt with a compression oracle attacks using a \033[33mrecursive two_tries\033[0m method")
print("")
run()
print("")